Upguard is reporting it found more than 540 million records from two Facebook app providers on two unprotected Amazon S3 buckets.
The exposed information is from the Mexican media firm Cultura Colectiva and a now defunct Facebook-integrated app called "At the Pool."
The Cultura Colectiva dataset contained 146GB of data with 540 million records showing comments, likes, reactions, account names, Facebook IDs and more, Upguard wrote. The At the Pool server had a database backup containing 22,000 records listing fk_user_id, fb_user, fb_friends, fb_likes, fb_music, fb_movies, fb_books, fb_photos, fb_events, fb_groups, fb+checkins, fb_interests and password, although Upguard believes the password is for the app, not the person Facebook password.
The At the Pool app ceased operating in 2014.
"Each of the data sets was stored in its own Amazon S3 bucket configured to allow public download of files," Upguard wrote, adding that while the two sets contained somewhat different pieces of information they both contain data about Facebook users, describing their interests, relationships, and interactions that were available to third party developers.
Upguard said it notified Cultura Colectiva on 10 and 14 January and did not receive a response. With the data still visible on 1 February the security firm then notified Amazon Web Services, which immediately responded that it would contact the owner. However, on 21 February the data was still visible so Upguard sent another email to AWS. Amazon said it would look into the situation, but the database was not locked down until 3 April.
At the Pool’s server was taken down just as Upguard was deciphering ownership.
"Facebook’s policies prohibit storing Facebook information in a public database. Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people’s data," a Facebook spokesperson told SC Media.
"These two situations speak to the inherent problem of mass information collection: the data doesn’t naturally go away, and a derelict storage location may or may not be given the attention it requires," Upguard said.
While this case does not have the same big picture implications as the infamous Cambridge Analytica case where the firm used the private information of 50 million Facebook users without their permission for electoral purposes, it is does serve as another spotlight shining into the darkest corners revealing how Facebook handles data.
"For years, Facebook allowed third-party app developers to access the Facebook data of anyone who logged in with their Facebook accounts, including the basic profile information of everyone on each user’s friends list. Although Facebook has rules about how that data can be used and stored, there’s little means of Facebook actually enforcing those policies until after some damage has been done," Paul Bischoff, privacy advocate at Comparitech.com.
At the Pool’s status of being out of business is an additional obstacle Facebook, the victims and users need to learn how to avoid. Rod Simmons, vice president of product strategy at STEALTHbits Technologies, said end users need to understand the permissions they are granting when downloading an app and attempt to ensure the developer can be trusted to handle the data.
Simmons also noted it’s hard to collect a penalty from a defunct company, but there are other options.
"If you have financial penalties they only mean something for a company in business. In this situation 22,000 records were lost and the company is out of business so there is no fine that can be paid by a bankrupt company. Jail time however is a penalty an executive cannot escape just because they go out of business," he said.
Even though Facebook is the poster child for lax data practices at this moment, said Mukul Kumar, CISO and VP of Cyber Practice at Cavirin, and other large firms will almost certainly become involved in a similar situation, he believes there are some prophylactic moves that should be made.
"Two half-fixes. Facebook and others need to go through their records, and reach out to their various partners to secure any customer data. Given that some of these partners may not have the expertise or may no longer exist, Facebook may need to work directly with the public cloud providers, and if they don’t take the initiative, the government should intervene," he said.
Facebook needs to make privacy a core and create a senior post that will own the issue along with a strong staff and corporately back it, said Sam Curry, chief security officer at Cybereason.
"Call in independent advisors and observers. Then take 30 days to create and publish a plan in place to fix what’s broken at home and to simultaneously champion and promote privacy to chart a course for the industry.," Curry added.
In an email to SC Media UK, Dr Richard Gold, head of security engineering at Digital Shadows commented: "This is fundamentally a third party risk story and needs to be put in context. Facebook has not itself been breached and whilst Cultura Colectiva appears to have violated its terms and conditions with Facebook by hosting users data insecurely, this is not wholesale abuse on the scale of Cambridge Analytica.
"Breached information in this case has been limited to comments, reactions and account names specific to that app – it’s obviously an undesirable situation but information of this kind would be of limited use to cyber-criminals. Securing of S3 buckets and other files is a serious issue however. Last year, Digital Shadows discovered over 1.5 billion files from a host of services, including Amazon S3 buckets, rsync, SMB, FTP, NAS drives, and misconfigured websites. Amazon now sets S3 buckets as private by default and organisations should not alter these settings and take steps to set permissions and monitor for unusual activity."
The original version of this article was first published on SC Media US.